CN114257391A - Risk assessment method and device and computer readable storage medium - Google Patents
Risk assessment method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN114257391A CN114257391A CN202011016242.1A CN202011016242A CN114257391A CN 114257391 A CN114257391 A CN 114257391A CN 202011016242 A CN202011016242 A CN 202011016242A CN 114257391 A CN114257391 A CN 114257391A
- Authority
- CN
- China
- Prior art keywords
- address
- evaluated
- attack
- risk
- score
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012502 risk assessment Methods 0.000 title claims abstract description 21
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 4
- 239000000126 substance Substances 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The present disclosure provides a risk assessment method, a device and a computer readable storage medium, relating to the technical field of network security, wherein the method comprises the following steps: analyzing the collected flow to obtain at least one attack IP address which attacks each IP address to be evaluated in a plurality of IP addresses to be evaluated within preset time; determining a first risk score of each IP address to be evaluated according to attack information of each attack IP address attacking each IP address to be evaluated in the preset time, wherein the attack information comprises an attack means; determining a second risk score of each IP address to be evaluated according to whether each vulnerability in at least one vulnerability of each IP address to be evaluated is utilized to attack each IP address to be evaluated within the preset time; and determining the risk score of each IP address to be evaluated according to the first risk score and the second risk score.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a risk assessment method, apparatus, and computer-readable storage medium.
Background
With the development of internet technology, network security becomes more and more important. The risk of the IP address can be determined by using the alarm log of the network intrusion detection/prevention system. However, because the number of alarm logs is large, if the operation and maintenance personnel check each alarm log one by one to judge the risk of the IP address, the workload is huge and errors are easy to occur.
In the related art, when the risks of different IP addresses are evaluated, once the risk of each IP address is determined, the risk of the IP address does not change, that is, the risk of the IP address is statically evaluated.
Disclosure of Invention
The inventors have noted that the approach in the related art is inaccurate for risk assessment of an IP address, which may result in a security threat for the IP address.
In order to solve the above problem, the embodiments of the present disclosure propose the following solutions.
According to an aspect of the embodiments of the present disclosure, there is provided a risk assessment method, including: analyzing the collected flow to obtain at least one attack IP address which attacks each IP address to be evaluated in a plurality of IP addresses to be evaluated within preset time; determining a first risk score of each IP address to be evaluated according to attack information of each attack IP address attacking each IP address to be evaluated in the preset time, wherein the attack information comprises an attack means; determining a second risk score of each IP address to be evaluated according to whether each vulnerability in at least one vulnerability of each IP address to be evaluated is utilized to attack each IP address to be evaluated within the preset time; and determining the risk score of each IP address to be evaluated according to the first risk score and the second risk score.
In some embodiments, the at least one attack IP address comprises a plurality of attack IP addresses; the determining the first risk score of each to-be-evaluated IP address according to the attack information of each attack IP address attacking each to-be-evaluated IP address in the preset time comprises the following steps: determining a first risk sub-score of each attack IP address according to the attack information of each attack IP address attacking each IP address to be evaluated in the preset time so as to obtain a plurality of first risk sub-scores; determining the first risk score according to a maximum value and a median value of the plurality of first risk sub-scores and the number of the plurality of attack IP addresses.
In some embodiments, said determining said first risk score according to a maximum and a median of said plurality of first risk sub-scores and a number of said plurality of attack IP addresses comprises: obtaining a first value according to a maximum value and a median value of the plurality of first risk sub-scores; obtaining a second value according to the number of the attack IP addresses; calculating a product of the first value and the second value to obtain the first risk score.
In some embodiments, the greater the maximum value and the median value, the greater the first value; the larger the number of the plurality of attack IP addresses, the larger the second value.
In some embodiments, the IP address to be evaluated IP is calculated according to the following formulaaFirst risk score of
Wherein: a is the type of the IP address to be evaluated in the preset time; n is a radical ofaAttacking the IP address to be evaluated in the preset timeaNumber of attacking IP addresses, NaIs an integer greater than 1;
attacking the IP address to be evaluated in the preset timeaAttack IP address ofiFirst Risk sub-score of
Maximum value of (1, N) is ∈a];
Attacking the IP address to be evaluated in the preset timeaAttack IP address ofiFirst Risk sub-score of
A median value of;θ is a weight between the maximum value and the median value; λ is a constant greater than 1.
In some embodiments, the determining the second risk score for each to-be-evaluated IP address according to whether each of the at least one vulnerability for each to-be-evaluated IP address is exploited to attack each to-be-evaluated IP address within the predetermined time includes: acquiring a CVSS score of a general security vulnerability scoring system of each vulnerability; determining the dynamic vulnerability score of each vulnerability according to whether each vulnerability is utilized to attack the IP address to be evaluated in the preset time; determining a second risk sub-score of each vulnerability according to the CVSS score and the dynamic vulnerability score of each vulnerability; and determining the second risk score according to the second risk sub-score of each vulnerability.
In some embodiments, the at least one vulnerability includes a plurality of vulnerabilities; determining the second risk score according to the second risk sub-score of each vulnerability comprises: determining a maximum value of a plurality of second risk sub-scores of the plurality of vulnerabilities according to the second risk sub-score of each vulnerability; determining the second risk score according to a ratio of the second risk sub-score of each vulnerability to a maximum value of the plurality of second risk sub-scores and a maximum value of the plurality of second risk sub-scores.
In some embodiments, the vulnerability is calculated according to the following formulabDynamic vulnerability scoring
B is the IP address to be evaluated in the preset timeaB is the [1, M ]a]I is the utilization of the loophole in the predetermined timebAttack to-be-evaluated IP address IPaThe number of kinds of attack IP addresses of (2),
for attacking IP address IP within said predetermined timeiExploiting vulnerabilitiesbAttack to-be-evaluated IP address IPaTotal number of attacks; determining vulnerabilities according to the following formulabSecond Risk sub-score of (1)
Wherein VSbIs a holebCVSS score of [ mu ] is vulnerabilitybVulnerability scoring of
Against vulnerabilitybA weight of the score of the CVSS; the IP address to be evaluated is calculated according to the following formulaaSecond risk score of (1)
Wherein the content of the first and second substances,
for the IP address IP to be evaluatedaLeak ofbSecond risk score of (1)
Maximum value of (1), bmaxDenotes the b-thmaxP is a constant.
In some embodiments, the method further comprises: acquiring a third risk score of each IP address to be evaluated, wherein the third risk score is a fixed value reflecting the importance of each IP address to be evaluated; determining the risk score of each to-be-evaluated IP address according to the first risk score and the second risk score includes: and determining the risk score of each IP address to be evaluated according to the first risk score, the second risk score and the third risk score.
According to another aspect of the embodiments of the present disclosure, there is provided a risk assessment apparatus including: the analysis module is configured to analyze the collected traffic to obtain at least one attack IP address which attacks each IP address to be evaluated in a plurality of IP addresses to be evaluated within preset time; a first determining module configured to determine a first risk score of each to-be-evaluated IP address according to attack information of each attack IP address attacking each to-be-evaluated IP address within the predetermined time, wherein the attack information comprises attack means; a second determining module configured to determine a second risk score for each to-be-evaluated IP address according to whether each of at least one vulnerability of each to-be-evaluated IP address is utilized to attack each to-be-evaluated IP address within the predetermined time; and the third determining module is configured to determine the risk score of each IP address to be evaluated according to the first risk score and the second risk score.
According to still another aspect of the embodiments of the present disclosure, there is provided a risk assessment apparatus including: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above embodiments based on instructions stored in the memory.
According to a further aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method according to any one of the embodiments described above.
In the embodiment of the disclosure, the risk score of each to-be-evaluated IP address not only considers the attack means of attacking the to-be-evaluated IP address to attack the IP address, but also considers the situation that the vulnerability of the to-be-evaluated IP address is utilized. In such a way, the risk score of the IP address to be evaluated dynamically changes along with the change of an attack means and the utilization condition of the vulnerability, and the risk of the IP address to be evaluated can be more accurately reflected, so that the risk evaluation of the IP address to be evaluated is more accurate.
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic flow diagram of a risk assessment method according to some embodiments of the present disclosure;
fig. 2 is a schematic flow diagram of determining a first risk score for each IP address to be assessed according to some implementations of the present disclosure;
FIG. 3 is a schematic flow diagram of determining a second risk score for each IP address to be assessed according to some implementations of the present disclosure;
FIG. 4 is a schematic structural diagram of a risk assessment device according to some embodiments of the present disclosure;
FIG. 5 is a schematic structural diagram of a risk assessment device according to further embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a schematic flow diagram of a risk assessment method according to some embodiments of the present disclosure.
In step 102, the collected traffic is analyzed to obtain at least one attack IP address that attacks each of the multiple IP addresses to be evaluated within a predetermined time.
For example, traffic may be collected from the network using WAF (web application level intrusion prevention system) or IDPS (intrusion detection and prevention system). The collected traffic may include various network data. By analyzing the collected traffic, the condition that each IP address to be evaluated is attacked can be obtained, and thus the attack IP address which attacks each IP address to be evaluated within the preset time can be obtained.
For example, alarm logs of each attack IP address attacking a certain IP address to be evaluated may be classified into data clusters, and the data clusters may be analyzed.
It is to be understood that the length of the predetermined time may be determined according to the actual application. For example, the predetermined time may be one week, such as the past week. It should also be understood that the IP address to be evaluated may be, for example, an IP address inside an enterprise.
In step 104, a first risk score of each to-be-evaluated IP address is determined according to the attack information of each attack IP address attacking each to-be-evaluated IP address within the preset time.
Here, the attack information includes at least attack means. The attack means may include, for example, SQL (Structured Query Language) injection, code execution, XSS (Cross Site Scripting) attack, command execution, weak passwords, and the like. Command execution may include, for example, Shell command execution and the weak password may include, for example, Web weak password login.
For example, the first risk score of a certain IP address to be evaluated may be determined according to the total number of all attack means attacked by the certain IP address to be evaluated, the number of times each attack means is adopted to attack the certain IP address to be evaluated or other IP addresses to be evaluated (i.e., the hot-door degree), and the like. For example, the greater the total number of all attack means, the higher the first risk score for the IP address to be evaluated. As another example, the more aggressive each attack means, the higher the first risk score for the IP address being evaluated.
In some embodiments, the attack information may also include the number of attacks, the uniformity of attack time, and the like. For example, the more the number of attacks, the more uniform the attack time, and the higher the first risk score of the IP address to be evaluated.
In step 106, a second risk score of each to-be-evaluated IP address is determined according to whether each vulnerability in at least one vulnerability of each to-be-evaluated IP address is utilized to attack each to-be-evaluated IP address within a preset time.
For example, the more the vulnerability of each to-be-evaluated IP address is exploited, the higher the second risk score for that to-be-evaluated IP address.
In step 108, a risk score for each IP address to be evaluated is determined based on the first risk score and the second risk score.
For example, the risk score of each to-be-evaluated IP address is the sum of the first risk score and the second risk score of each to-be-evaluated IP address. In some embodiments, the risk score for each IP address to be evaluated may be displayed after the risk score is determined.
In the above embodiment, the risk score of each to-be-evaluated IP address not only considers an attack means for attacking the to-be-evaluated IP address to attack the to-be-evaluated IP address, but also considers a situation that a vulnerability of the to-be-evaluated IP address is utilized. In such a way, the risk score of the IP address to be evaluated dynamically changes along with the change of an attack means and the utilization condition of the vulnerability, and the risk of the IP address to be evaluated can be more accurately reflected, so that the risk evaluation of the IP address to be evaluated is more accurate.
In some embodiments, a third risk score of each to-be-evaluated IP address may also be obtained, and then the risk score of each to-be-evaluated IP address is determined according to the first risk score, the second risk score, and the third risk score. Here, the third risk score is a fixed value reflecting the importance of each IP address to be evaluated, i.e., no longer changing after determination. For example, the risk score of each IP address to be assessed is the sum of the first risk score, the second risk score, and the third risk score.
In the embodiment, by combining the dynamic scoring and the static scoring, the risk assessment of the IP address to be assessed can be more accurately carried out, so that the IP address with high risk can be maintained in time.
In some embodiments, the at least one attack IP address that attacks each IP address comprises a plurality of attack IP addresses. Some specific implementations of determining a first risk score for each attacking IP address are described below in conjunction with fig. 2.
Fig. 2 is a schematic flow diagram of determining a first risk score for each IP address to be assessed according to some implementations of the present disclosure.
In step 114, according to the attack information of each attack IP address attacking each to-be-evaluated IP address within a predetermined time, a first risk sub-score of each attack IP address is determined to obtain a plurality of first risk sub-scores.
For a certain IP address to be evaluated, according to the attack information of each attack IP address in a plurality of attack IP addresses attacking the IP address to be evaluated, the first risk sub-score of each attack IP address can be determined, so that a plurality of first risk sub-scores of the attack IP addresses can be obtained.
At step 124, a first risk score is determined based on the maximum and median values of the plurality of first risk sub-scores and the number of the plurality of attack IP addresses.
As some implementations, the first value is derived from a maximum value and a median value of the plurality of first risk sub-scores; obtaining a second value according to the number of the attack IP addresses; a product of the first value and the second value is calculated to obtain a first risk score. For example, the greater the maximum value of the plurality of first risk sub-scores and the median value of the plurality of first risk sub-scores, the greater the first value; the larger the number of the plurality of attack IP addresses, the larger the above second value.
In the above embodiment, the first risk sub-score of each attack IP address is determined first, and then the first risk score of each attack IP address is determined according to the maximum value and the median value of the plurality of first risk sub-scores and the number of the plurality of attack IP addresses. In this way, the risk of each attacking IP address can be comprehensively considered, and the first risk score of each attacking IP address is more accurate.
The IP address to be evaluated IP is described belowaFirst risk score of
Some embodiments are described.
For example, the IP address IP to be evaluated may be calculated according to the following formulaaFirst risk score of
In the above formula, a is the kind of IP address to be evaluated in a predetermined time, IPaIndicating a certain IP address to be evaluated. N is a radical ofaFor attacking IP address IP to be evaluated within predetermined timeaNumber of attacking IP addresses, NaIs an integer greater than 1.
For attacking IP address IP to be evaluated within predetermined timeaAttack IP address ofiFirst Risk sub-score of
Maximum value of (1, N) is ∈a]。
For attacking IP address IP to be evaluated within predetermined timeaAttack IP address ofiFirst Risk sub-score of
Median value of (1). θ is the weight between the maximum value and the median value, e.g., 1.λ is a constant greater than 1. For example, if the first Risk sub-score is of greater interest
Of the two, θ may be set to a value less than 1.
For example, attack IP Address IPaAttack IP address ofiInvolving attack on IP1、IP2…IPNa,
Respectively attack IP1、IP2…IPNaIs determined by the first risk sub-score of (1),
is composed of
The maximum value of (a) is,
is composed of
Median value of (1).
According to the mode, the attack to-be-evaluated IP address is comprehensively consideredaEach of which attacks the IP addressSub-scoring to obtain the IP address to be evaluatedaFirst risk score of
In a similar manner, the first risk scores of other IP addresses to be evaluated may be obtained, and thus the first risk score of each IP address to be evaluated may be obtained.
Fig. 3 is a schematic flow diagram of determining a second risk score for each IP address to be assessed according to some implementations of the present disclosure.
At step 116, a generic security vulnerability scoring system (CVSS) score for each vulnerability is obtained.
For example, a vulnerability for each IP address to be evaluated may be extracted from the missed scan report and threat log. The CVSS for each vulnerability is a fixed value.
In step 126, a dynamic vulnerability score for each vulnerability is determined based on whether each vulnerability is exploited to attack the IP address to be assessed within a predetermined time.
For example, the vulnerability may be calculated according to the following formulabDynamic vulnerability scoring
In the above formula, b is the IP address IP to be evaluated in a predetermined timeaB is the [1, M ]a]. For example, the IP address IP to be evaluatedaThe vulnerability includes a vulnerability1、
i is exploiting vulnerabilities within a predetermined timebAttack to-be-evaluated IP address IPaThe number of kinds of attack IP addresses of (2),
for attacking IP address IP within predetermined timeiExploiting vulnerabilitiesbAttack to-be-evaluated IP address IPaTotal number of attacks.
At step 136, a second risk sub-score for each vulnerability is determined based on the CVSS score and the dynamic vulnerability score for each vulnerability.
For example, a vulnerability may be determined according to the following formulabSecond Risk sub-score of (1)
In the above formula, VSbIs a holebCVSS score of (a). For example, VSb∈[0,10]. μ is a leakbVulnerability scoring of
Against vulnerabilitybWeight of CVSS score of (a). For example, μmay be 1.
At step 146, a second risk score is determined based on the second risk sub-score for each vulnerability.
In some embodiments, in a case where the at least one vulnerability of each to-be-evaluated IP address includes a plurality of vulnerabilities, the second risk score may be determined according to: determining the maximum value of a plurality of second risk sub-scores of a plurality of vulnerabilities according to the second risk sub-score of each vulnerability; and determining a second risk score according to the ratio of the second risk sub-score of each vulnerability to the maximum value in the plurality of second risk sub-scores and the maximum value in the plurality of second risk sub-scores.
For example, the IP address IP to be evaluated is calculated according to the following formulaaSecond risk score of (1)
In the above-mentioned formula, the first and second,
for the IP address IP to be evaluatedaLeak ofbSecond risk score of (1)
Maximum value of (1), bmaxDenotes the b-thmaxP is a constant.
For example, a vulnerability1、
Second Risk sub-score of (1)
Are respectively as
Is composed of
Maximum value of (2).
According to the method, the second risk score of each IP address to be evaluated can be obtained.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the device embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Fig. 4 is a schematic structural diagram of a risk assessment device according to some embodiments of the present disclosure.
As shown in fig. 4, the risk assessment apparatus includes an analysis module 401, a first determination module 402, a second determination module 403, and a third determination module 404.
The analysis module 401 is configured to analyze the collected traffic to obtain at least one attack IP address that attacks each of the plurality of IP addresses to be evaluated within a predetermined time.
The first determining module 402 is configured to determine a first risk score for each to-be-evaluated IP address according to attack information of each attack IP address attacking each to-be-evaluated IP address within a predetermined time, the attack information including attack means.
The second determining module 403 is configured to determine a second risk score for each to-be-evaluated IP address according to whether each of the at least one vulnerability of each to-be-evaluated IP address is exploited to attack each to-be-evaluated IP address within a predetermined time;
the third determining module 404 is configured to determine a risk score for each IP address to be assessed based on the first risk score and the second risk score.
In the above embodiment, the risk score of each to-be-evaluated IP address not only considers an attack means for attacking the to-be-evaluated IP address to attack the to-be-evaluated IP address, but also considers a situation that a vulnerability of the to-be-evaluated IP address is utilized. In such a way, the risk score of the IP address to be evaluated dynamically changes along with the change of an attack means and the utilization condition of the vulnerability, and the risk of the IP address to be evaluated can be more accurately reflected, so that the risk evaluation of the IP address to be evaluated is more accurate.
FIG. 5 is a schematic structural diagram of a risk assessment device according to further embodiments of the present disclosure.
As shown in fig. 5, the risk assessment apparatus 500 includes a memory 501 and a processor 502 coupled to the memory 501, the processor 502 being configured to execute the method of any of the foregoing embodiments based on instructions stored in the memory 501.
The memory 501 may include, for example, a system memory, a fixed non-volatile storage medium, and the like. The system memory may store, for example, an operating system, application programs, a Boot Loader (Boot Loader), and other programs.
The risk assessment apparatus 500 may further include an input-output interface 503, a network interface 504, a storage interface 505, and the like. The interfaces 503, 504, 505 and the memory 501 and the processor 502 may be connected by a bus 506, for example. The input/output interface 503 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 504 provides a connection interface for various networking devices. The storage interface 505 provides a connection interface for external storage devices such as an SD card and a usb disk.
The scheme of the embodiment of the disclosure has good dynamic expansibility, for example, the dynamic score is added on the basis of the static score
The disclosed embodiments also provide a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method of any of the above embodiments.
Thus, various embodiments of the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that the functions specified in one or more of the flows in the flowcharts and/or one or more of the blocks in the block diagrams can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be understood by those skilled in the art that various changes may be made in the above embodiments or equivalents may be substituted for elements thereof without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (12)
1. A method of risk assessment, comprising:
analyzing the collected flow to obtain at least one attack IP address which attacks each IP address to be evaluated in a plurality of IP addresses to be evaluated within preset time;
determining a first risk score of each IP address to be evaluated according to attack information of each attack IP address attacking each IP address to be evaluated in the preset time, wherein the attack information comprises an attack means;
determining a second risk score of each IP address to be evaluated according to whether each vulnerability in at least one vulnerability of each IP address to be evaluated is utilized to attack each IP address to be evaluated within the preset time;
and determining the risk score of each IP address to be evaluated according to the first risk score and the second risk score.
2. The method of claim 1, wherein the at least one attack IP address comprises a plurality of attack IP addresses;
the determining the first risk score of each to-be-evaluated IP address according to the attack information of each attack IP address attacking each to-be-evaluated IP address in the preset time comprises the following steps:
determining a first risk sub-score of each attack IP address according to the attack information of each attack IP address attacking each IP address to be evaluated in the preset time so as to obtain a plurality of first risk sub-scores;
determining the first risk score according to a maximum value and a median value of the plurality of first risk sub-scores and the number of the plurality of attack IP addresses.
3. The method of claim 2, wherein said determining the first risk score according to a maximum and a median of the plurality of first risk sub-scores and the number of the plurality of attack IP addresses comprises:
obtaining a first value according to a maximum value and a median value of the plurality of first risk sub-scores;
obtaining a second value according to the number of the attack IP addresses;
calculating a product of the first value and the second value to obtain the first risk score.
4. The method of claim 3, wherein:
the larger the maximum value and the median value, the larger the first value;
the larger the number of the plurality of attack IP addresses, the larger the second value.
5. The method of claim 4, wherein:
the IP address to be evaluated is calculated according to the following formulaaFirst risk score of
Wherein:
a is the type of the IP address to be evaluated in the preset time;
Naattacking the IP address to be evaluated in the preset timeaNumber of attacking IP addresses, NaIs an integer greater than 1;
θ is a weight between the maximum value and the median value;
λ is a constant greater than 1.
6. The method of any one of claims 1-5, wherein the determining a second risk score for each IP address to be assessed according to whether each of the at least one vulnerability for each IP address to be assessed is exploited to attack each IP address to be assessed within the predetermined time comprises:
acquiring a CVSS score of a general security vulnerability scoring system of each vulnerability;
determining the dynamic vulnerability score of each vulnerability according to whether each vulnerability is utilized to attack the IP address to be evaluated in the preset time;
determining a second risk sub-score of each vulnerability according to the CVSS score and the dynamic vulnerability score of each vulnerability;
and determining the second risk score according to the second risk sub-score of each vulnerability.
7. The method of claim 6, wherein the at least one vulnerability comprises a plurality of vulnerabilities;
determining the second risk score according to the second risk sub-score of each vulnerability comprises:
determining a maximum value of a plurality of second risk sub-scores of the plurality of vulnerabilities according to the second risk sub-score of each vulnerability;
determining the second risk score according to a ratio of the second risk sub-score of each vulnerability to a maximum value of the plurality of second risk sub-scores and a maximum value of the plurality of second risk sub-scores.
8. The method of claim 7, wherein:
calculating vulnerabilities according to the following formulabDynamic vulnerability scoring
B is the IP address to be evaluated in the preset timeaB is the [1, M ]a]I is the utilization of the loophole in the predetermined timebAttack to-be-evaluated IP address IPaThe number of kinds of attack IP addresses of (2),
for attacking IP address IP within said predetermined timeiExploiting vulnerabilitiesbAttack to-be-evaluated IP address IPaTotal number of attacks;
determining vulnerabilities according to the following formulabSecond Risk sub-score of (1)
Wherein VSbIs a holebCVSS score of [ mu ] is vulnerabilitybVulnerability scoring of
Against vulnerabilitybA weight of the score of the CVSS;
the IP address to be evaluated is calculated according to the following formulaaSecond risk score of (1)
Wherein the content of the first and second substances,
for the IP address IP to be evaluatedaLeak ofbSecond risk score of (1)
Maximum value of (1), bmaxDenotes the b-thmaxP is a constant.
9. The method of claim 1, further comprising:
acquiring a third risk score of each IP address to be evaluated, wherein the third risk score is a fixed value reflecting the importance of each IP address to be evaluated;
determining the risk score of each to-be-evaluated IP address according to the first risk score and the second risk score includes:
and determining the risk score of each IP address to be evaluated according to the first risk score, the second risk score and the third risk score.
10. A risk assessment device comprising:
the analysis module is configured to analyze the collected traffic to obtain at least one attack IP address which attacks each IP address to be evaluated in a plurality of IP addresses to be evaluated within preset time;
a first determining module configured to determine a first risk score of each to-be-evaluated IP address according to attack information of each attack IP address attacking each to-be-evaluated IP address within the predetermined time, wherein the attack information comprises attack means;
a second determining module configured to determine a second risk score for each to-be-evaluated IP address according to whether each of at least one vulnerability of each to-be-evaluated IP address is utilized to attack each to-be-evaluated IP address within the predetermined time;
and the third determining module is configured to determine the risk score of each IP address to be evaluated according to the first risk score and the second risk score.
11. A risk assessment device comprising:
a memory; and
a processor coupled to the memory and configured to perform the method of any of claims 1-9 based on instructions stored in the memory.
12. A computer readable storage medium having computer program instructions stored thereon, wherein the instructions, when executed by a processor, implement the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011016242.1A CN114257391B (en) | 2020-09-24 | 2020-09-24 | Risk assessment method, apparatus and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011016242.1A CN114257391B (en) | 2020-09-24 | 2020-09-24 | Risk assessment method, apparatus and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114257391A true CN114257391A (en) | 2022-03-29 |
| CN114257391B CN114257391B (en) | 2024-01-26 |
Family
ID=80790011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011016242.1A Active CN114257391B (en) | 2020-09-24 | 2020-09-24 | Risk assessment method, apparatus and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257391B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4258147A1 (en) * | 2022-04-08 | 2023-10-11 | Securitymetrics, Inc. | Network vulnerability assessment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN110011955A (en) * | 2018-12-06 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of SSRF loophole or attack determination, processing method, device, equipment and medium |
| CN110445766A (en) * | 2019-07-17 | 2019-11-12 | 海南大学 | Ddos attack method for situation assessment and device |
| CN110855722A (en) * | 2020-01-16 | 2020-02-28 | 北京安博通科技股份有限公司 | Host risk assessment method and device |
| CN111193728A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Network security evaluation method, device, equipment and storage medium |
-
2020
- 2020-09-24 CN CN202011016242.1A patent/CN114257391B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN110011955A (en) * | 2018-12-06 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of SSRF loophole or attack determination, processing method, device, equipment and medium |
| CN110445766A (en) * | 2019-07-17 | 2019-11-12 | 海南大学 | Ddos attack method for situation assessment and device |
| CN111193728A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Network security evaluation method, device, equipment and storage medium |
| CN110855722A (en) * | 2020-01-16 | 2020-02-28 | 北京安博通科技股份有限公司 | Host risk assessment method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4258147A1 (en) * | 2022-04-08 | 2023-10-11 | Securitymetrics, Inc. | Network vulnerability assessment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114257391B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Nayak et al. | Some vulnerabilities are different than others: Studying vulnerabilities and attack surfaces in the wild | |
| Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
| US8201246B1 (en) | Preventing malicious codes from performing malicious actions in a computer system | |
| US9460291B2 (en) | Detecting stored cross-site scripting vulnerabilities in web applications | |
| US10872157B2 (en) | Reinforcement-based system and method for detecting system vulnerabilities | |
| Tu et al. | Webshell detection techniques in web applications | |
| CN1328638C (en) | Intrusion detection method for host under Windows environment | |
| CN111565184A (en) | Network security assessment device, method, equipment and medium | |
| KR20160140316A (en) | Method and system for detecting a malicious code | |
| CN106355092B (en) | System and method for optimizing anti-virus measurement | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| Continella et al. | Prometheus: Analyzing WebInject-based information stealers | |
| Walker et al. | Cuckoo’s malware threat scoring and classification: Friend or foe? | |
| CN113761519A (en) | Detection method and device for Web application program and storage medium | |
| Muñoz et al. | Analyzing the traffic of penetration testing tools with an IDS | |
| US20230153439A1 (en) | Early filtering of clean file using dynamic analysis | |
| Li et al. | Large-scale third-party library detection in android markets | |
| CN114257391B (en) | Risk assessment method, apparatus and computer readable storage medium | |
| CN105787369A (en) | Android software security analysis method based on slice measurement | |
| Guri et al. | Noninvasive detection of anti-forensic malware | |
| Gupta et al. | Text-mining and pattern-matching based prediction models for detecting vulnerable files in web applications | |
| Mendes et al. | Benchmarking the security of web serving systems based on known vulnerabilities | |
| Canfora et al. | Malicious javascript detection by features extraction | |
| JP5386015B1 (en) | Bug detection apparatus and bug detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |